0

With the recent changes it seems that SameSite cookie attributes are throwing a wrench into my website now. A cross-browser iframe that was working before on my site is now broken - even with the SameSite=None; Secure being passed through the iFrame in the response header.

I've seen very different reports from people saying Windows 7 doesn't support SameSite=none. Others saying the Secure is breaking or not breaking it. But even the current Microsoft documentation doesn't lay out exactly how Win7 IE11 should react to SameSite=None.

At this point I'm looking for some tips or tricks from anyone who could assist. I've done everything I can think of. This worked before and now suddenly is blocking out the iFrame and throwing a 500 error. Could the order of the set-cookie be causing this?

From some browser testing I've found the following:

  • Windows 10 - IE11 broken, Edge broken, Edge(beta) works
  • Windows 8.1 - IE11 works, Edge(beta) works
  • Windows 8 - IE11 broken, Edge(beta) works
  • Windows 7 - IE11 broken, No Edge

    • The Set-Cookie response header:
    Set-Cookie MySitePersistence=436457226.47873.0000; path=/; httponly; secure; SameSite=none; Secure

    I tried targeting IE directly as a rewrite preCondition using
    <add input="{RESPONSE_Set_Cookie}" pattern="." />
    <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none" negate="true" />
    <add input="{HTTP_USER_AGENT}" pattern="^.*MSIE ([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />
    <add input="{HTTP_USER_AGENT}" pattern="^.*Trident/.*rv:([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />

    Improve this question

    1 Answer 1

    Reset to default
    0

    The issue occurs because Asp.NET_SessionID cookie was not being sent always due to new changes in cookies and the cookie now had a SameSite=Lax attribute.

    You could set the SameSite property for the session cookie to “None” by adding this in web.config: 

    <system.web>     
     <sessionState cookieSameSite="None" />     
</system.web>

    This with the outbound rules (SameSite=None; Secure) will work. You could refer to this simiar thread.

    More information to reference:

    (1) SameSite in code for your ASP.net applications

    (2) SameSite=Lax in the new world

    (3) SameSite cookie updates in ASP.net, or how the .Net Framework from December changed my cookie usage

    Improve this answer
    1
    • Updating <sessionState> to include cookieSameSite="None" is what fixed it. The only worry I have is this would be adding sameSite="none" to every page correct? Before we were trying to target only particular browsers. What type of security issues should we be worried about now?
      – CJdriver
      Commented Feb 13, 2020 at 16:37

    Not the answer you're looking for? Browse other questions tagged or ask your own question.